After checking every repository, I couldn't find a repo.db.sig file in the repositories. running pacman+WGET reports a 404 Not Found. Pacman ignores this error and can only be seen using WGET. After checking upstream Arch's repositories it seems like this is inherited from Arch. It will be nice if we could sign our repo dbs, as mtjm pointed out nicely that an attacker can fake packages being old or missing, preventing the system from getting a security update.